diff --git a/ChangeLog b/ChangeLog index e18b5ec0..30cffd14 100644 --- a/ChangeLog +++ b/ChangeLog @@ -46,6 +46,9 @@ ver. 0.10.4-dev-1 (20??/??/??) - development edition - extended with mode parameter, allows to avoid matching of messages like `auth challenge (REGISTER)` (see gh-2163) (currently `extra` as default to be backwards-compatible), see comments in filter how to set it to mode `normal`. +* `filter.d/domino-smtp.conf`: + - recognizes failures logged using another format (something like session-id, IP enclosed in square brackets); + - failregex extended to catch connections rejected for policy reasons (gh-2228); * `action.d/hostsdeny.conf`: fix parameter in config (dynamic parameters stating with '_' are protected and don't allowed in command-actions), see gh-2114; * decoding stability fix by wrong encoded characters like utf-8 surrogate pairs, etc (gh-2171): diff --git a/config/filter.d/domino-smtp.conf b/config/filter.d/domino-smtp.conf index cdc17736..638cd7c5 100644 --- a/config/filter.d/domino-smtp.conf +++ b/config/filter.d/domino-smtp.conf @@ -35,9 +35,12 @@ # 08-09-2014 06:14:27 smtp: postmaster [1.2.3.4] authentication failure using internet password # 08-09-2014 06:14:27 SMTP Server: Authentication failed for user postmaster ; connecting host 1.2.3.4 -__prefix = (?:\[[^\]]+\])?\s+ -failregex = ^%(__prefix)sSMTP Server: Authentication failed for user .*? \; connecting host $ - ^%(__prefix)ssmtp: (?:[^\[]+ )*\[\] authentication failure using internet password\s*$ +__prefix = (?:\[[^\]]+\])?\s* +__opt_data = (?::|\s+\[[^\]]+\]) +failregex = ^%(__prefix)sSMTP Server%(__opt_data)s Authentication failed for user .*? \; connecting host \[?\]?$ + ^%(__prefix)ssmtp: (?:[^\[]+ )*\[?\]? authentication failure using internet password\s*$ + ^%(__prefix)sSMTP Server%(__opt_data)s Connection from \[?\]? rejected for policy reasons\. + # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT diff --git a/fail2ban/tests/files/logs/domino-smtp b/fail2ban/tests/files/logs/domino-smtp index 4987e7ea..957d593f 100644 --- a/fail2ban/tests/files/logs/domino-smtp +++ b/fail2ban/tests/files/logs/domino-smtp @@ -6,3 +6,8 @@ 08-09-2014 06:14:27 smtp: postmaster [1.2.3.4] authentication failure using internet password # failJSON: { "time": "2016-11-07T22:21:20", "match": true , "host": "1.2.3.4" } 2016-11-07 22:21:20 smtp: postmaster [1.2.3.4] authentication failure using internet password + +# failJSON: { "time": "2018-09-19T17:25:50", "match": true , "host": "192.0.2.1", "desc":"different log-format" } +2018-09-19 17:25:50 SMTP Server [0D14:0027-1334] Authentication failed for user Bad Hacker ; connecting host [192.0.2.1] +# failJSON: { "time": "2018-09-19T17:25:52", "match": true , "host": "192.0.2.2", "desc":"gh-2228, rejected for policy reasons" } +2018-09-19 17:25:52 SMTP Server [000527:000013-0000001227564800] Connection from [192.0.2.2] rejected for policy reasons. IP address of connecting host not found in reverse DNS lookup.